CVE-2026-20883 – This vulnerability allows users with revoked ac... (How to Fix)

Q: What is the severity of CVE-2026-20883?

CVE-2026-20883 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows users with revoked access to private Gitea repositories to still view issue titles and repository names through previously started stopwatches. It affects Gitea instances where users have had their repository permissions revoked while stopwatches were active. This is an improper access control issue that leaks limited repository metadata.

📋 TL;DR

This vulnerability allows users with revoked access to private Gitea repositories to still view issue titles and repository names through previously started stopwatches. It affects Gitea instances where users have had their repository permissions revoked while stopwatches were active. This is an improper access control issue that leaks limited repository metadata.

💻 Affected Systems

Products:

Gitea

Versions: Versions before 1.25.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with private repositories and users who had stopwatches running when their access was revoked.

📦 What is this software?

Gitea by Gitea

View all CVEs affecting Gitea →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users could enumerate private repository names and issue titles, potentially revealing sensitive project information or organizational structure.

🟠

Likely Case

Former collaborators or team members who lost access could still see repository names and issue titles they shouldn't have access to, violating access control policies.

🟢

If Mitigated

With proper monitoring and access revocation procedures, the impact is limited to metadata leakage rather than full repository access.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires previously authenticated user sessions with active stopwatches before access revocation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.25.4

Vendor Advisory: https://github.com/go-gitea/gitea/security/advisories/GHSA-644v-xv3j-xgqg

Restart Required: Yes

Instructions:

1. Backup your Gitea instance and database. 2. Download Gitea 1.25.4 or later from official releases. 3. Stop the Gitea service. 4. Replace the Gitea binary with the new version. 5. Restart the Gitea service. 6. Verify the version is 1.25.4 or higher.

🔧 Temporary Workarounds

Stopwatch Cleanup

all

Manually clear all active stopwatches for users who have had repository access revoked

UPDATE stopwatch SET created_unix = 0 WHERE user_id IN (SELECT user_id FROM repository_access WHERE revoked = true)

🧯 If You Can't Patch

Implement strict access revocation procedures that include terminating all active user sessions
Monitor and audit stopwatch API access logs for unauthorized repository metadata requests

🔍 How to Verify

Check if Vulnerable:

Check if Gitea version is below 1.25.4 and if users with revoked repository access can still access stopwatch API endpoints for those repositories

Check Version:

./gitea --version

Verify Fix Applied:

After upgrading to 1.25.4+, verify that users with revoked access cannot access stopwatch API endpoints for private repositories

📡 Detection & Monitoring

Log Indicators:

API requests to /api/v1/repos/{owner}/{repo}/stopwatch from users who shouldn't have repository access
Stopwatch-related API calls returning repository metadata for users with revoked permissions

Network Indicators:

Unusual patterns of stopwatch API requests to private repositories

SIEM Query:

source="gitea.log" AND ("stopwatch" OR "/api/v1/repos/") AND response_code=200 AND user_id IN (SELECT user_id FROM revoked_access_list)

📊 Metadata

CVE ID: CVE-2026-20883

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-284

EPSS Score: 0.03% exploit probability (6.7th percentile)

Published: January 22, 2026

Last Updated: January 29, 2026

🔗 References

https://blog.gitea.com/release-of-1.25.4/ Release Notes
https://github.com/go-gitea/gitea/pull/36340 Issue Tracking,Patch
https://github.com/go-gitea/gitea/pull/36368 Issue Tracking,Patch
https://github.com/go-gitea/gitea/releases/tag/v1.25.4 Release Notes
https://github.com/go-gitea/gitea/security/advisories/GHSA-644v-xv3j-xgqg Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-20883, you might also want to check these: